Created attachment 537284 [details] emerge --info When running `emaint sync -r gentoo --sync-submodule glsa`, the following message appears (if the portage tree is not already up-to-date): ``` * Verifying /usr/portage ...!!! Manifest verification failed: Manifest mismatch for metadata/glsa/Manifest BLAKE2B: expected: fda02a1ae593b985b50b2f5c6da01d8d7ac30d00fe0520a79e3d3eb092a2cda0a9632d6ae689f43cfe653ae5c07a3caa14aa89faca63d1a07e64a74b2e540fae, have: d34241568d14c06cac92ce77948773230fd22dabceac7b07978f672d051e7b72f9cb9d64150e6687a60945509461230718b5d85b35c6b5710313650338681835 SHA512: expected: 2e5ed1b1d1b75237e52c230cc0a7f799cd7319626c05766d76d0d45f257576f23b94e3dc606ef2c67865734481e820e1dd633efa5cd03674c4ede7fd9041fb8d, have: c2f458eeaa1807c9db1a77256070a850df012a7c2ad06fd4b7d09f214d8027021488b1382cef483182f51effe5c66d68f3016cd73a28e937069b4dc542deaea6 ``` This happens because the hashes for 'metadata/glsa/Manifest' are in 'metadata/Manifest.gz', which (I guess) is not updated by `--sync-submodule glsa`. However, simply syncing the parent Manifests (e.g. 'metadata/Manifest.gz', 'Manifest.files.gz' and 'Manifest') would not work since it would mess up the hashes of other files in the portage tree which were not synced. Using sys-apps/portage-2.3.40-r1 with USE="ipc native-extensions rsync-verify xattr" PYTHON_TARGETS="python3_6"
GLEP 74 says "The sub-Manifest can also be signed using OpenPGP armored cleartext format" here: https://www.gentoo.org/glep/glep-0074.html#manifest-file-locations-and-nesting In fact, the glsa subdirectory does have a signed Manifest file, so we can make gemato verify it independently.
*** Bug 663962 has been marked as a duplicate of this bug. ***